Synology plugs high-risk leak in media server

Synolgy has released updated software packages for the Media Server. They close a high-risk vulnerability that allows attackers to read files without authorization.

In Synology's updated security release, the company claims to provide details of the vulnerability. However, they do not go into much depth: An authorization bypass due to a user-controlled key vulnerability in the streaming service of the Synology Streaming Server allows attackers to read certain files in unspecified ways(CVE-2024-4464, CVSS 7.5, risk"high").

Synology vulnerability: Details still unclear

It remains unclear what exactly attacks could look like and how exactly the vulnerability can be exploited by malicious actors. There are also no known indications of an attack.

The bug affects the Synology Media Server for SRM 1.3 and for DSM 7.1 and 7.2, for which versions 1.4-2680, 2.0.5-3152 and 2.2.0-3325 or newer are available for installation. The integrated update mechanism should display the available update and, depending on the settings, have already downloaded and installed it automatically. However, anyone using Synology routers and Synology NAS systems should log in to the web interface of the devices to check whether updates are available and have them applied quickly.

At the end of November, Synology had already patched security vulnerabilities in the NAS operating system DSM, the NAS app Surveillance Station and the backup solution BeeDrive for Desktop. The German Federal Office for Information Security's (BSI) CERT group has classified some of the vulnerabilities as critical security risks. Since the beginning of November, the manufacturer has also sealed several security gaps in the NAS software , some of which are critical, which were used to compromise the devices as part of the Pwn2Own competition in Ireland.

(dmk)